I was recently demonstrating the glorious capabilities of pfSense to a hardcore Cisco Addict. I was told that there is not any chance that a "Linux Base OS" could come close to competing with the ASA line. (that statement is so wrong on so many levels) But not to nit pick. I am looking for a way to measure and prove what he calls "The determining Factors". Basically Throughput, Max Sim Connections Per Second, & Max New Connections Per Second. Is there a chart or tool out there that i can get a fairly accurate number on this if i run it against our firewalls that are currently in production?

Well, being a Cisco fan personally, I can say this. pfSense beats the tar out of IOS in price. Use case is what determines what will be your best solution, not some fanboy rantings, err ratings! I meant ratings!

There is simply no comparison between the two. The Cisco ASA platform runs on purpose-built operating system and hardware that is optimized for network security and throughput. pfsense will never be able to come close to the performance of the ASA platoform, since it runs on general purpose hardware and a general purpose operating system.

The question is, assuming that all statements about Cisco having higher performance are true, does it matter? If you have 2 firewalls, brand x and Cisco, and Brand X will do 200% more than you need and Cisco will do 210% more than you need, do you even care?

Evaluate based on features and what your requirements are. Cisco, while a good answer in many scenarios is not the best answer in all scenarios.

There is simply no comparison between the two. The Cisco ASA platform runs on purpose-built operating system and hardware that is optimized for network security and throughput. pfsense will never be able to come close to the performance of the ASA platoform, since it runs on general purpose hardware and a general purpose operating system.

I'm neither a pfSense or a Cisco guy, but I've found, when looking at most things in IT, that the above is true in general but tends to break down when you look at specifics. It's certainly true that something purpose built will typically outperform something general purpose when looking at similar classes of device. That said, general purpose will often beat the ever loving pants off of purpose built because of economies of scale.

The purpose built box might have (made up numbers) a dual core 500Mhz CPU and 1GB of RAM, while the general purpose box has an 8-core 3GHz CPU and 16GB of RAM, the GP box is probably going to win. What's more, the costs are similar (or even lower for the GP box!) because the vendors in question sell them in the the tens of thousands, and the millions, respectively. OTOH, the Purpose built box may have a featureset that an open source solution running on commodity hardware cannot match (and may be a few years behind).

My point here is that you should fairly evaluate all viable solutions based on your budget and your workload rather than making a blind call based on brand name, or licensing philosophy.

If cost is no factor, you're talking about a product (Cisco) that has optimized it's IOS platform for the hardware it runs on. pfSense is great (and a great price), but requires a lot more finesse. You're going to have two strong sides I believe... Like talking politics. Get two passionate people in an argument about performance, it'll just be a run-on. Besides, there's so many factors that come into play aside from performance... Security, routing efficiency, etc. Measuring those are valued to. What I'm saying is they're both great and it's hard to compare.

well this is what I am currently running in a small Data Center. Keeping n mind I have 2 of these in an HA Cluster with ISP and Load Balancing on both. Now together the 2 servers that I have the firewalls running on cost me exactly $1334.52 after shipping. Looking at just a single pf box and comparing it to an ASA 5550 (also have one of them currently in place on our Fiber network.) the cost comparison is not even close as the 5550 was just a hair over $15,000. The ASA will not load balance.(unless you pay more) it will not do fail over. (unless you buy a second one and pay extra Licensing) It does not do load balancing ( unless you pay more). the anti malware that is based off of snort is available on the 5550 for an additional $10,000 annual license less as you work you way down in models and yes we did have this priced out. there is no automatic ACL generation for Know Spammers and Country blocking. there is no content filtering and the ASDM will make you loose you marbles trying to install it on the correct version of Java.

As far as the PF box. it has all of that in the original install. all add-on packages are available at no charge and they are not pre-enabled so you don't have to worry about them bloating up your firewall. Don't get me wrong the ASA and Cisco as a whole make an outstanding product. I believe in Cisco so much that they are what is in place in our entire backbone infrastructure and we have an 11 site direct fiber connected network. We are even going to order some of the new MGIG technology switches when they release them later this year. However, when it comes to performance on a firewall, I have yet to see the ASA out preform the pfSense we currently have in place. Not to mention a lot of the research I am doing I am finding that a lot of your major web hosting companies and many large corporations are starting to use pfSense as a firewall of choice because of the security.

Like I said I love Cisco, Hate the pricing, but love the product. I am simply attempting to open my dear friends eyes a little and show him that there is another world beyond the "blue" even tho now they are kind of that charcoal grayish looking color. Was that supposed to be black? looks off to me. they should go back to the blue it looked better.

I would agree that in many situation pfsense is perfectly suitable and certainly more cost effective. However Cisco and others that make dedicated appliances are better suited for mission critical environments due to the support they can offer. If 10s of thousands or 100s of thousands or millions of dollars can be lost by long downtime, you really have to be careful what you select. With Cisco we can call TAC as soon as there is an issue and they will work with us through completion. We can get 4 hour replacements on hardware among other things which is necessary.
Certainly look at what it would cost to be without the network and go from there.

I would agree that in many situation pfsense is perfectly suitable and certainly more cost effective. However Cisco and others that make dedicated appliances are better suited for mission critical environments due to the support they can offer. If 10s of thousands or 100s of thousands or millions of dollars can be lost by long downtime, you really have to be careful what you select. With Cisco we can call TAC as soon as there is an issue and they will work with us through completion. We can get 4 hour replacements on hardware among other things which is necessary.
Certainly look at what it would cost to be without the network and go from there.

To get back to your original question, you could run iperf to test the bandwidth. This will make sure that you're getting the bandwidth you expect without the firewall being a bottleneck. Testing max connections, etc might not be relevant depending on how large your network is behind the firewall.

1

This discussion has been inactive for over a year.

You may get a better answer to your question by starting a new discussion.